With Toyota’s problems all over the news, I started to think about whether compliance and ethics professionals could learn anything from these problems.

To begin, I don’t think there is a systemic problem with their vehicles or with the company. I think the sudden acceleration problem is bunk.

Yes, I own a Toyota, but my Tundra has not been implicated.

Numbers

It is unfortunate that people have died in Toyotas. About 56 people have died in accidents involving Toyotas that allegedly accelerated out of control. That anyone has died or been hurt is difficult to face.

But lets put that number in perspective.  Over 34,000 people died in car crashes in 2008 and over 2 million people were injured.

Over 10,000 of those deadly crashes in 2008 involved alcohol impaired driving. That means you were at least 100 times more likely to be killed by a drunk driver than sudden acceleration.

From an ethics perspective, you obviously don’t want to sell a product that is defective or even a little more likely to injure your customers. Of course, that assumes there is a defect in the product and it’s not just a big pile of media hype.

Look back at Audi

We have seen this situation before. Twenty years ago it was Audi. The reports on Audi suffering from sudden acceleration nearly destroyed the automaker in the late 80s.

They never did find a problem with the Audi cars. Audi was never able to counter the outcry against their cars.

Is there really a problem with the cars?

Surely, the throttle of a car could get stuck open and cause the car to accelerate. Cars are increasingly run through electronics that control the fuel levels and throttle of the car. Floor mats can get stuck on the gas pedals. Cruise controls can malfunction. For any number of reasons, a car could accelerate without the driver’s input. (With Audi, the assumption is that the driver stepped on the gas pedal instead of  the brake pedal.)

But what about the brakes?

Car and Driver ran some tests for unintended acceleration. Even with the throttle held wide open, if you stepped on the brakes your car would stop in roughly the same distance.  In a normal situation, they stopped a Toyota Camry from 70 mph to 0 in 174 feet. With the throttle held open it took 190 feet to stop from 70 mph.

The brakes were not as successful for the hugely powerful Roush Stage 3 Mustang with 540 horsepower. It required an extra 80 feet to stop with all extra horsepower was fighting the brakes.

Even if the engine in most cars suddenly accelerates, the brakes should stop in it roughly the same distance.

However, if you pump the brakes, you may lose the vacuum boost needed for the power assist and have a hard time stopping the car. Prior to anti-lock braking systems, we were taught to pump the brakes in slippery conditions.

Another possibility is that the car could have suffered a brake failure at the same time the throttle failed.

Driver error

One way to deal with sudden acceleration is to disconnect the engine. With a manual transmission you step on the clutch and with an automatic you shift into neutral. (I’m not sure that I would have thought to do that if my throttle got stuck.  I would now.)

With Audi, they main theory was that people were stepping on the gas when they thought they were stepping on the brake.

As for the runaway Prius a few days ago, he could have pumped the brakes and lost the power assist needed to stop the car, or had a simultaneous failure of the brakes and the throttle. (Or he could have faked it.)

Systemic failure

What Toyota needs is a way to avoid systemic failure. It’s really bad to have the throttle and the brakes fail at the same time.

What Toyota needs is a throttle kill switch. When you step on the brakes, the electronic throttle control will cut the throttle and cut the power. In the Car and Driver test, they tried an Infiniti G37 that had the throttle kill and its braking distance barely changed. Many cars have this throttle kill mechanism, but not all.

Having a safeguard for a systemic failure is good thing from a compliance and risk management perspective. By having a throttle kill, it’s easier to point to operator error. (“If you had stepped on the brakes, the engine throttle would have released.”)

What about the conflict of interest?

One problem with a government investigation of Toyota is the inherent conflict of interest the United States government and the taxpayers have in the automobile industry. We own a competitor to Toyota. It would be good for the U.S. ownership in General Motors for Toyota vehicles to be less popular.

I was very disappointed to see Mr. Toyoda flogged in front of a Congressional panel. To some extent, he was being yelled at by the board of directors of GM.

Lessons

In the end, I believe the Toyota story is one of a failure of crisis management and not one of ethics or compliance. It seems like Toyota was not able to quickly gather the facts and act on the facts. They keep announcing recalls, without explaining the problem or the fix.

Every company action made in error is magnified under the white hot lights of the media looking for stories. We the taxpayers and our government has a big conflict of interest in attacking the company without a good set of facts.

The failure of crisis management is going to cost them. There will be shareholder class action lawsuits, driver lawsuits, owner class action lawsuits, the cost of recalls and the long term damage to the company’s image.

See Cartoons by Cartoon by John Trever – Courtesy of Politicalcartoons.com – Email this Cartoon

Sources:

• How To Deal With Unintended Acceleration from Car and Driver
• GM tests Pontiac Vibe brakes against unintended acceleration in wake of Matrix recall from AutoBlog
• Toyotas Are Safe (Enough) by Robert Wright in The New York Times Opinions
• Unintended Acceleration Not Limited To Toyotas from NPR
• Toyota by the Numbers by Leon DeWinter
• Traffic Safety Facts 2008 (pdf) from the U.S. Department of Transportation
• Feds investigate runaway Prius case as Toyota says it’s ‘mystified’ about cause in the Los Angeles Times
• Toyotas, Death and Sudden Acceleration in the Los Angeles Times

It’s always useful to look at what your competition is doing. The same is true in drafting your code of conduct (or code of ethics or whatever name you chose). It is useful to look at you what your competitors’ codes of conduct look like.

Since Sarbanes-Oxley requires a public company to have a code of conduct, its fairly easy to dig around the investor relations portion of their website or SEC filings to get your hands on examples.

Since my company is a real estate company, I put together a database of Codes of Conduct for Real Estate Companies.

My original goal was to find codes for other real estate private equity companies. I struck out.

So I expanded to public REITs and real estate investment advisers. All of the companies in the database are public.

So far I have not found a private real estate company that has published its Code of Conduct. This is what I expected and not a criticism. In fairness, I haven’t publicly published my Code of Conduct.

With compliance, it’s better to think of competitors as peers instead of the competition. You might get some market gain with a competitor lost to a compliance or ethical failure. You’re more likely to get more government oversight and regulation, less of investor confidence and many more headaches.

Database of Codes of Conduct for Real Estate Companies

Image of Columbia Center is by simonsonjh from Wikimedia Commons

Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

• The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
• Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
• The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
• Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.

References:

• Text of the Regulations: 201 CMR 17.00
• Redline showing the latest changes to the regulations
• Press Release – Patrick Administration’s Final Data Security Regulations Filed and Take Effect March 1, 2010; State Received Notice of More than 1 Million Instances of Exposure in Two Years
• Massachusetts Amends Strict Data Privacy Law (Again) – prior post
• Massachusetts Finally Finalizes Data Security Regulations – We Think by Kristen J. Mathews for the Privacy Law Blog
• Massachusetts Regulators Finalizing Information Security Regulations, Keep March 1, 2010 Deadline by Gabriel M. Helmer for Security, Privacy and The Law

You may have heard the story about Van Halen’s banning of brown M&M’s from its dressing room. I chalked it up to the pampered life of rock stars. (Especially, when compared to the more mundane life of a chief compliance officer.)

I just listened to the latest episode of  This American Life which revealed that the provision was not about pampering. It was about compliance.  Host Ira Glass talked with John Flansburgh (from the band They Might Be Giants) and he explained why the M&M clause was actually an ingenious business strategy. They recounted an except from David Lee Roth’s autobiography, Crazy from the Heat:

Van Halen was the first band to take huge productions into tertiary, third-level markets. We’d pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through.The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say “Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes . . .” This kind of thing. And article number 126, in the middle of nowhere, was: “There will be no brown M&M’s in the backstage area, upon pain of forfeiture of the show, with full compensation.”

So, when I would walk backstage, if I saw a brown M&M in that bowl . . . well, line-check the entire production. Guaranteed you’re going to arrive at a technical error. They didn’t read the contract. Guaranteed you’d run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

Van Halen used the candy as a warning flag for an indication that something may be wrong. I see some lessons to be learned.

References:

• This American Lie Episode 386: Fine Print
• Van Halen’s Legendary M&M’s Rider from the Smoking Gun

Back in April, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email (Stengart v. Loving Care [.pdf]) That case has now been overturned. It seems that a company’s policy on computer use may be more limited that I originally posted.

Factual Background:

The company provided Stengart with a laptop computer and a work email address. Prior to her resignation, plaintiff communicated with her attorneys, Budd Larner, P.C., by email about an anticipated suit against the company, and using the work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After Stengart filed suit, the company extracted a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, an attorney discovered numerous communications between Stengart and her attorney from the time period prior to her resignation from employment with Stengart.

I found it strange that the email from a web-based email account would be stored on the local computer. I am going to guess that it was attachments to the email that ended up stored on the computer in a temporary file and not the email itself.

Company Position:

According to the decision, the company’s policy may not have been clearly distributed and applied. There was some factual disputes about whether the company had ever adopted or distributed such a policy. There was a further dispute that even if the policy was put in place as to whether it applied to executives like Stengart.

Decision:

In the end the company’s position didn’t matter and the court assumed the policy was in place. Instead, the court took a harsh position:

A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest. See Western Dairymen Coop., 684 P.2d 647, 649 (Utah 1984). When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in State v. M.A., 402 N.J. Super. 353 (App. Div. 2008); Doe v. XYC Corp., 382 N.J. Super. 122, 126 (App. Div. 2005) — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.

Those were some broad statements, but the decision was ultimately limited to the attorney-client privilege.

There is no question — absent the impact of the company’s policy — that the attorney-client privilege applies to the emails and would protect them from the view of others. In weighing the attorney-client privilege, which attaches to the emails exchanged by plaintiff and her attorney, against the company’s claimed interest in ownership of or access to those communications based on its electronic communications policy, we conclude that the latter must give way. Even when we assume an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest, we find little force in such a company policy when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.

It seems that New Jersey courts are now taking the position that a company cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy. The exception to this rule would be when the company needs to know the content of the e-mail to determine whether the employee broke the law or violated company policy.

References:

• Stengart v. Loving Care Agency Inc., App. Div. (Fisher, J.A.D.) (A-3506-08T1; APPROVED FOR PUBLICATION; Decided June 26, 2009) – hosted by Rutgers
• New Jersey Appeals Court Broadly Construes Employee’s “Right To Privacy” Using Company Computers by Littler Mendelson’s Privacy & Data Protection Practice Group
• Email Storage and the Attorney Client Privilege by Mark J. Astarita on SECLaw.com – The Securities Law Blog
• Workplace Computers and the Attorney Client Privilege – Part 2 by Paul G. Kostro of NJ Family Issues

Two cases illustrate some of the problems with the use of outside counsel for internal investigations. The possibility that a conflict of interest could arise when an attorney or law firm simultaneously represents an organization and one or more of its officers or directors is a recurring issue.

A ruling earlier this month by U.S. District Judge Cormac Carney made a stark warning to lawyers that they need to warn a company’s employees in internal company investigations that they represent the company, not the employee. Judge Carney dismissed portions of the government’s criminal case against William J. Ruehle, the former CFO of Broadcom Corp. after finding that the law firm hired by Broadcom to review possibly illegal stock-option grants failed to explain clearly to the executive that it wasn’t representing him. Irell & Manella was involved in three separate but related representation of Broadcom and Mr. Ruehle.

Judge Carney ruled that Mr. Ruehls’s statements are privileged because he “reasonably believed that the lawyers were meeting with him as his personal lawyers, not just Broadcom’s lawyers. Mr. Ruehle has a reasonable expectation that whatever he said to the Irell lawyers would be maintained in confidence.”

Judge Carney mentioned an Upjohn warning or “corporate miranda” to inform a constituent member or an organization that the the attorney represent the organization and not the constituent member. The Judge ruled that the Upjohn warning would not be sufficient because Mr. Ruehle was already a client of Irell. The judge threw the statements of Mr. Ruehle out of evidence and also referred the law firm to the California state bar for disciplinary action.

A similar issue recently arose during the government investigation of R. Allen Stanford. Proskauer Rose lawyer Thomas Sjoblom accompanied Stanford Financial Group’ Chief Investment Officer Laura Pendergest-Holt to an SEC investigation. According to the Wall Street Journal, he said during the testimony that he represented Mr. Stanford and officers and directors of his affiliated entities. Ms. Pendergest-Holt believed he was representing her. She got indicted and is now suing Sjoblom for malpractice. She alleges that Sjoblom caused her to speak to the SEC without informing her of her Fifth Amendment rights against self-incrimination, that she was not required to testify, that she had no attorney-client privilege with him and that the interests of her employer were adverse to her interests

If you hire an outside law firm as part of an investigation, you need to make it clear that the lawyers represent the company and not the employee or executive. The lawyers need to be clear as well since they are likely to be subject to an ethics complaint or malpractice suit if they are not clear.

See:

• For Corporate Lawyers, There’s Just One Client by Kara Scannell for the Wall Street Journal
• Judge Carney’s Broadcom Ruling Grabs Attention of White Collar Bar by Bruce Carton for Securities Docket
• A Case of Divided Loyalties by Kevin M. LaCroix of The D&O Diary
• Miranda Warnings for Lawyers? Recent Rulings Highlight the Possibility by Ashby Jones of the WSJ Law Blog
• Order Suppressing Privileged Communications in US V. Nichols and Ruehle (Broadcomm case) – Hosted on JD Supra
• Upjohn Co. v. United States, 449 U.S. 383 (1981)

I am an enthusiast of social networking sites and web 2.0. But I realize they have limitations and dangers. I have been very concerned about the Recommendations feature in LinkedIn. That feature allows any of your connections on LinkedIn to post a recommendation or endorsement about you that appears on your profile page.

At first, that seems great. Since the one view of LinkedIn is that it operates as an online resume, posting recommendations is a smart feature. But what if you are in a regulated industry? Many professions have limitation on what they can say in advertisements and what they can say about their services.

I took a look at how recommendations are regulated for investment advisers and for lawyers. Two areas that affect me the most.

If you a registered investment adviser, you are subject to Rule 206(4)-1:

a. It shall constitute a fraudulent, deceptive, or manipulative act, practice, or course of business within the meaning of section 206(4) of the Act for any investment adviser registered or required to be registered under section 203 of the Act, directly or indirectly, to publish, circulate, or distribute any advertisement:

(1) Which refers, directly or indirectly, to any testimonial of any kind concerning the investment adviser or concerning any advice, analysis, report or other service rendered by such investment adviser. . .

It looks like recommendations are prohibited in an “advertisement.” The definition of “advertisement” is broad:

b. For the purposes of this section the term advertisement shall include any notice, circular, letter or other written communication addressed to more than one person, or any notice or other announcement in any publication or by radio or television, which offers (1) any analysis, report, or publication concerning securities, or which is to be used in making any determination as to when to buy or sell any security, or which security to buy or sell, or (2) any graph, chart, formula, or other device to be used in making any determination as to when to buy or sell any security, or which security to buy or sell, or (3) any other investment advisory service with regard to securities.

Is your LinkedIn profile an “advertisement” under this rule?  If you state that you offer investment advisory services on your LinkedIn profile, then I think it is an advertisement. So you should not have recommendations.

What about lawyers? The first problem is that every jurisdiction has a different set of rules about attorney advertising. You need to take a look at the rules in your jurisdiction.

First look to the ABA Model Rule 7.1:

A lawyer shall not make a false or misleading communication about the lawyer or the lawyer’s services. A communication is false or misleading if it contains a material misrepresentation of fact or law, or omits a fact necessary to make the statement considered as a whole not materially misleading.

Under this rule, you could have a recommendation as long as does not have a material misrepresentation and is not misleading. That gets you into gray areas very quickly.

This is just a model rule. Every state is different. For example, Arkansas[Rule 7.1 (d)], Florida [Rule 4-7.2(c)(1)(J)], Indiana [Rule 7.2(d)(3)], South Carolina [Rule 7.1(d)], and Wyoming [Rule 7.2(h)] all explicitly prohibit any kind of testimonial in attorney advertising. Nevada, Pennsylvania, California, Louisiana, Missouri, New York, Oregon, South Dakota, Texas, and Virginia have limitations on what can be said in a testimonial or a disclaimer that needs to be present.

What do I think? Keep recommendations off your LinkedIn profile.

See:

• Adviser Use of LinkedIn May Violate SEC Rules by Bill Winterberg of FPPad.com
• FINRA’s Guide to the Internet – previous post
• Information on Professionalism & Ethics in Lawyer Advertising published by the American Bar Association.
• Massachusetts Rules of Professional Conduct – Rule 7.1

Just like the Corporate Compliance Fraud in Ohio, Compliance Services is also targeting companies in Georgia, Florida and Massachusetts.

The Daily Citizen is reporting Georgia corporations warned about solicitations. The Georgia Secretary of State issued a warning:

“Several corporations registered with the Corporations Division of the Office of the Secretary of State received a letter from Georgia Corporate Compliance, a private company offering to complete corporation meeting minutes on behalf of registered corporations.”

The Attorney General of Florida also issued a warning:

Over the past several months, the Attorney General’s Office has received numerous complaints against several of these companies. Last week the Attorney General settled a lawsuit against one such company, Corporate Compliance Center, over allegations that the company misled Florida businesses relating to the sale of corporate minutes reports. Two other companies, Corporate Minutes Compliance Service and Corporate Minute Services, were prevented from operating in Florida when the Attorney General’s Office threatened litigation.

Bill Galvin, the Secretary of the Commonwealth of Massachusetts issued his warning:

Recently, an entity calling itself “Compliance Services” mailed solicitations entitled “Annual Minutes Requirement Statement Directors and Shareholders” to numerous Massachusetts corporations. This solicitation offers to complete corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitation, Massachusetts corporations are not required by law to file corporate minutes with the Secretary of State.

Thanks to Corporate Compliance Insights: Compliance Scam Alert in Georgia: Corporate Minutes Hoax Not Limited to Ohio.

See also:

• Fraud announcement from the Georgia Secretary of State
• Crist: Businesses Should Be Wary of Out-of-State Compliance Notices
• Notice regarding “Compliance Services” Solicitation from the Massachusetts Secretary of State